Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.8.0, 3.0.0-alpha1
    • Component/s: None
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      Nessus scan shows that JMXJsonServlet is vulnerable to TRACE/TRACK requests. We could disable this to avoid such vulnerability.

        Activity

        Hide
        haibochen Haibo Chen added a comment -

        The patch overrides the doTrace method in JMXJsonServlet to disable TRACE requests.

        Show
        haibochen Haibo Chen added a comment - The patch overrides the doTrace method in JMXJsonServlet to disable TRACE requests.
        Hide
        hadoopqa Hadoop QA added a comment -
        +1 overall



        Vote Subsystem Runtime Comment
        0 reexec 0m 21s Docker mode activated.
        +1 @author 0m 0s The patch does not contain any @author tags.
        +1 test4tests 0m 0s The patch appears to include 1 new or modified test files.
        +1 mvninstall 6m 25s trunk passed
        +1 compile 6m 29s trunk passed
        +1 checkstyle 0m 23s trunk passed
        +1 mvnsite 0m 54s trunk passed
        +1 mvneclipse 0m 13s trunk passed
        +1 findbugs 1m 19s trunk passed
        +1 javadoc 0m 44s trunk passed
        +1 mvninstall 0m 39s the patch passed
        +1 compile 6m 37s the patch passed
        +1 javac 6m 37s the patch passed
        +1 checkstyle 0m 24s the patch passed
        +1 mvnsite 1m 0s the patch passed
        +1 mvneclipse 0m 13s the patch passed
        +1 whitespace 0m 0s The patch has no whitespace issues.
        +1 findbugs 1m 35s the patch passed
        +1 javadoc 0m 51s the patch passed
        +1 unit 8m 30s hadoop-common in the patch passed.
        +1 asflicense 0m 22s The patch does not generate ASF License warnings.
        37m 47s



        Subsystem Report/Notes
        Docker Image:yetus/hadoop:e2f6409
        JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12812025/hadoop13299.001.patch
        JIRA Issue HADOOP-13299
        Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle
        uname Linux 250499de3aa4 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
        Build tool maven
        Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh
        git revision trunk / 8c1f81d
        Default Java 1.8.0_91
        findbugs v3.0.0
        Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/9838/testReport/
        modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common
        Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/9838/console
        Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org

        This message was automatically generated.

        Show
        hadoopqa Hadoop QA added a comment - +1 overall Vote Subsystem Runtime Comment 0 reexec 0m 21s Docker mode activated. +1 @author 0m 0s The patch does not contain any @author tags. +1 test4tests 0m 0s The patch appears to include 1 new or modified test files. +1 mvninstall 6m 25s trunk passed +1 compile 6m 29s trunk passed +1 checkstyle 0m 23s trunk passed +1 mvnsite 0m 54s trunk passed +1 mvneclipse 0m 13s trunk passed +1 findbugs 1m 19s trunk passed +1 javadoc 0m 44s trunk passed +1 mvninstall 0m 39s the patch passed +1 compile 6m 37s the patch passed +1 javac 6m 37s the patch passed +1 checkstyle 0m 24s the patch passed +1 mvnsite 1m 0s the patch passed +1 mvneclipse 0m 13s the patch passed +1 whitespace 0m 0s The patch has no whitespace issues. +1 findbugs 1m 35s the patch passed +1 javadoc 0m 51s the patch passed +1 unit 8m 30s hadoop-common in the patch passed. +1 asflicense 0m 22s The patch does not generate ASF License warnings. 37m 47s Subsystem Report/Notes Docker Image:yetus/hadoop:e2f6409 JIRA Patch URL https://issues.apache.org/jira/secure/attachment/12812025/hadoop13299.001.patch JIRA Issue HADOOP-13299 Optional Tests asflicense compile javac javadoc mvninstall mvnsite unit findbugs checkstyle uname Linux 250499de3aa4 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux Build tool maven Personality /testptch/hadoop/patchprocess/precommit/personality/provided.sh git revision trunk / 8c1f81d Default Java 1.8.0_91 findbugs v3.0.0 Test Results https://builds.apache.org/job/PreCommit-HADOOP-Build/9838/testReport/ modules C: hadoop-common-project/hadoop-common U: hadoop-common-project/hadoop-common Console output https://builds.apache.org/job/PreCommit-HADOOP-Build/9838/console Powered by Apache Yetus 0.4.0-SNAPSHOT http://yetus.apache.org This message was automatically generated.
        Hide
        stevel@apache.org Steve Loughran added a comment -

        Is there a specific CVE here?

        Show
        stevel@apache.org Steve Loughran added a comment - Is there a specific CVE here?
        Hide
        haibochen Haibo Chen added a comment -

        Hi Steve Loughran There is no specific CVE here. This is found in a network scan.
        Is there any component relying on the TRACE? If not, we can disable it just in case, which is exactly what the patch is doing.
        If this needs to be discussed in the security mailing list first, I can start a discussion there.

        Show
        haibochen Haibo Chen added a comment - Hi Steve Loughran There is no specific CVE here. This is found in a network scan. Is there any component relying on the TRACE? If not, we can disable it just in case, which is exactly what the patch is doing. If this needs to be discussed in the security mailing list first, I can start a discussion there.
        Hide
        templedf Daniel Templeton added a comment -

        Looks like the issue is a potential hole to allow for cross site tracing (https://www.owasp.org/index.php/Cross_Site_Tracing). It could be a false alarm, but it's definitely something that a customer who scans Hadoop will find. If we're not doing anything with the TRACE operation, then we should close the hole just to be safe.

        Show
        templedf Daniel Templeton added a comment - Looks like the issue is a potential hole to allow for cross site tracing ( https://www.owasp.org/index.php/Cross_Site_Tracing ). It could be a false alarm, but it's definitely something that a customer who scans Hadoop will find. If we're not doing anything with the TRACE operation, then we should close the hole just to be safe.
        Hide
        templedf Daniel Templeton added a comment -

        The patch looks good to me. +1 (non-binding)

        Show
        templedf Daniel Templeton added a comment - The patch looks good to me. +1 (non-binding)
        Hide
        kasha Karthik Kambatla added a comment -

        The patch looks good to me. Haibo Chen - could you confirm this on a cluster as well?

        Show
        kasha Karthik Kambatla added a comment - The patch looks good to me. Haibo Chen - could you confirm this on a cluster as well?
        Hide
        haibochen Haibo Chen added a comment -

        Tested in a psedo-distributed cluster, it worked as expected.

        Show
        haibochen Haibo Chen added a comment - Tested in a psedo-distributed cluster, it worked as expected.
        Hide
        kasha Karthik Kambatla added a comment -

        +1. Checking this in.

        Show
        kasha Karthik Kambatla added a comment - +1. Checking this in.
        Hide
        kasha Karthik Kambatla added a comment -

        Thanks Haibo Chen for the contribution, and Daniel Templeton for the review.

        Just committed this to trunk, branch-2, and branch-2.8.

        Show
        kasha Karthik Kambatla added a comment - Thanks Haibo Chen for the contribution, and Daniel Templeton for the review. Just committed this to trunk, branch-2, and branch-2.8.
        Hide
        hudson Hudson added a comment -

        SUCCESS: Integrated in Hadoop-trunk-Commit #10248 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10248/)
        HADOOP-13299. JMXJsonServlet is vulnerable to TRACE. (Haibo Chen via (kasha: rev 85422bb7c5d3e70a49f620ba1c8800e0ba4b64f2)

        • hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
        • hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
        Show
        hudson Hudson added a comment - SUCCESS: Integrated in Hadoop-trunk-Commit #10248 (See https://builds.apache.org/job/Hadoop-trunk-Commit/10248/ ) HADOOP-13299 . JMXJsonServlet is vulnerable to TRACE. (Haibo Chen via (kasha: rev 85422bb7c5d3e70a49f620ba1c8800e0ba4b64f2) hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java

          People

          • Assignee:
            haibochen Haibo Chen
            Reporter:
            haibochen Haibo Chen
          • Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development